From: Jonathan A. <jo...@sq...> - 2005-12-03 02:44:32
|
Hi Thijs, On Friday, December 02, 2005 you wrote: > On Fri, 2005-12-02 at 16:23 +0200, Tomas Kuliavas wrote: >> Running SquirrelMail with rg=3Don might cause variable corruption. Some >> security issues can be exploited only when globals are on. Check is fatal >> in order to prevent dangerous PHP configuration. It does not fix our code >> and does not prevent using SquirrelMail in rg=3Don setups. But if admins= use >> configtest.php utility, they will have to turn off globals in order to >> pass all tests. >>=20 >> I would like to keep it fatal. > If others agree on this then we should do more to communicate that: put > it in the readme, in the documentation, in the docs on the site etc. If > we really think admins should do this then we should make that as clear > to them as possible. I'd have thought the PHP documentation yelling at the admin's not to run with rg=3D1 would be quite good, though I certainly second for our documentation to reflect it... in fact... I thought it was somewhere, with references to the php documentation, but I cannot find it now. --=20 Jonathan Angliss <jo...@sq...> |